National Identity Management Commission (NIMC) has on Tuesday, January 11 debunked claim of the country’s identity database being breached by hackers.
Director-General of NIMC, Engr. Aliyu Aziz in a statement released on Tuesday January 11, said they’ve gone great lengths to ensure the nation’s database is adequately secured and protected especially given the spate of cyber-attacks on networks across the world.
The Commission revealed this in reaction to a hacker identified as Sam who on Monday claimed he successfully breached the server of NIMC.
He revealed how easy it was for him to breach the server and access the personal information of millions of people.
According to Sam, he came across these data while sourcing for something else to help him decompile some applications he was working on.
The hacker in the article that has generated angry reactions from some Nigerians on Twitter especially tech enthusiasts stated;
As usual, I am hunting for something in the source code of the application, As the scope is huge, So I collected all the applications and decompiled them all at once with apktool with this command: find . -iname “*.apk” -exec apktool d -o {}_out {} \;.
Now I started to look for something juicy in decompiled files, but as there are about 50+ applications, I can’t look at each of them manually right? I just got an idea of nuclei, and boom I knew there are templates for android applications, I just downloaded them and, started nuclei on the whole directory,
He further stated;
After 18–19 mins of a run, Nuclei gave an output saying S3 Bucket Found, I tried to access it via AWS CLI, and it’s like: Acess denied, No luck there. Then after a few mins of running, I’ve got one more output for s3 bucket, I casually tried to access it without any hope, and damn! the s3 bucket is full of juice.
And I was just like: I just simply got access to their (Nigeria) data of internal files, Users, and everything they have, I can download everything, Even the whole bucket.
The hacker also posted the data he obtained in the process — a copy of the national identity slip from NIMC but defaced it to hide vital information.
He added;
I wanted to look at more files but as we have to follow bug bounty rules I stopped doing more. I’ve got one more s3 bucket with nuclei and it also contained about 4–5 gigs of data. I’ve rewarded 5250$ for only one report and 0$ for the second one even it contained so much sensitive data.
Hours later, the hacker recanted that the leaked sever was not from any Nigerian portal but Tecno Mobile.
He said he reported the case to Tecno, and the bug fixed.
They fixed it within hours and no one accessed the data. @InfoSecComm @TecnoSRC #bugbounty #bughunter
— Sam (@__Sam0_0) January 10, 2022
He also edited the article published on Medium and removed a copy of the national ID posted as a screenshot in the story — but failed to explain why he mentioned Nigeria’s ID database in the previous version.
New Write-up on InfoSec Write-ups publication : “A TALE OF 5250$ : HOW I ACCESSED MILLIONS OF USER’S DATA INCLUDING THEIR NATIONAL ID’S” #bugbounty #bugbountywriteup #bugbountytips https://t.co/abNL2t5D4E
— InfoSec Community (@InfoSecComm) January 10, 2022
Reacting to the alleged data breach in a statement on Tuesday, NIMC said its servers are secure for identity management and optimised.
The statement reads;
The National Identity Management Commission (NIMC) wishes to inform the public that its servers were not breached but are fully optimised at the highest international security levels as the custodian of the most important national database for Nigeria.
The NIMC Director-General stated that the Commission does not use nor store information on the AWS cloud platform or any public cloud despite the usefulness of the NIMC Mobile App available to the public for accessing their NIN on the go.
